MongoDB Enterprise provides support for Kerberos authentication of
MongoDB clients to mongod and mongos. Kerberos is
an industry standard authentication protocol for large client/server
systems. Kerberos allows MongoDB and applications to take advantage of
existing authentication infrastructure and processes.

In a Kerberos-based system, every participant in the authenticated
communication is known as a “principal”, and every principal must have
a unique name.

Principals belong to administrative units called realms. For each
realm, the Kerberos Key Distribution Center (KDC) maintains a database
of the realm’s principal and the principals’ associated “secret keys”.

For a client-server authentication, the client requests from the KDC a
“ticket” for access to a specific asset. KDC uses the client’s
secret and the server’s secret to construct the ticket which allows the
client and server to mutually authenticate each other, while keeping
the secrets hidden.

For MongoDB, the <service> defaults to mongodb. For example, if
m1.example.com is a MongoDB server, and example.com maintains
the EXAMPLE.COM Kerberos realm, then m1 should have the service
principal name mongodb/m1.example.com@EXAMPLE.COM.

Linux systems can store Kerberos authentication keys for a
service principal in keytab
files. Each Kerberized mongod and mongos instance
running on Linux must have access to a keytab file containing keys for
its service principal.

To keep keytab files secure, use file permissions that restrict access
to only the user that runs the mongod or mongos
process.

Unlike on Linux systems, mongod and mongos
instances running on Windows do not require access to keytab files.
Instead, the mongod and mongos instances read
their server credentials from a credential store specific to the
operating system.

However, from the Windows Active Directory, you can export a keytab
file for use on Linux systems. See Ktpass for more
information.